Update: Excuses on iPod virus not credible

Redmond virus scanning expert offers to help clean up iPod mess

Security and quality assurance experts reacted negatively to Apple Computer's efforts Tuesday to blame manufacturing problems that resulted in iPod MP3 players shipping with a virus that affects Microsoft's Windows operating system.

Security professionals, including Microsoft's own product release virus scanning chief, called Apple's efforts to deflect blame onto Microsoft misleading and said the batch of factory-infected iPods reveals a troubling lack of thoroughness in the company's manufacturing process.

On Monday, Apple released a statement on its Web site noting that a "small number of video iPods shipped with a Windows virus," which the company identified as RavMonE.exe. The number of affected iPods is small -- less than 1 percent of all Video iPods available for purchase after Sept. 12, 2006, the company said in its statement, adding "as you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it."

That statement drew criticism from security experts, including Jonathan Poon, the man in charge of scanning Microsoft products for viruses before they ship.

"It's not a matter of which platform the virus originated [on]. The fact that it's found on the portable player means that there's an issue with how the quality checks, specifically the content check, was done," Poon wrote in a blog entry.

James "Randy" Abrams, who held Poon's job for more than a decade at Microsoft and is now director of technical education at ESET, agreed.

"The Apple iPod incident was not about Microsoft having a hardy operating system, it was all about security and process," Abrams told InfoWorld in an e-mail message.

Viruses on Microsoft's network weren't unusual when Abrams was testing that company's products before shipping them, he said.

"I released software in an environment surrounded by Windows machines. Many machines on the corporate network were infected. We never introduced a virus into the software in the release or manufacturing processes because we had a professional understanding of what it took to release what we were supposed to," he said.

"That Apple would blame Microsoft demonstrates a lack of understanding of remedial security and manufacturing processes. Virus was only a symptom of the problem. Apple didn't know what they were shipping," Abrams said.

Greg Joswiak, vice president of iPod product marketing at Apple declined to comment in detail about the iPod infections, but did acknowledge that around 25 systems were infected by a Windows system that was used during manufacturing to test compatibility with the devices. The RavMonE virus did not spread to the system through a network connection, but was installed by a peripheral device, he said.

Joswiak declined to speculate on whether the worm was intentionally introduced, or whether it was spread from an iPod to the machine.

He did, however, defend the company's manufacturing and quality control procedures.

"It was an exception to our process," he said. "We believe we have a good process and we're going forward."

Joswiak also stood by the company's statement regarding Windows.

"Isn't that true?" he responded when asked about the company's statement about Windows not being robust in the face of viruses.

"We tried to be open and explain what's going on. We're not trying to dismiss our role."

The news about the infected iPods was the second such story in recent days. On Monday, McDonald's admitted that 10,000 MP3 players that were given away in a promotion in Japan also contained a worm, identified as WORM-QQPASS.ADH.

Both Poon and Abrams said that Apple's response to the infected iPods fell short of McDonald's, even though the burger giant has precious little experience in the consumer electronics space.

"The difference in how McDonald's and Apple handled similar incidents paints a stark difference between management integrity and customer service focus," Abrams wrote.

"Both cases were flawed manufacturing processes. Mistakes can happen and smart companies accept responsibility, make things right with the customer, and fix the problems. Lesser companies play the blame game," he wrote.

McDonald's fix: a single link to Trend Micro's "Housecall" online virus scanning service and an open offer to replace infected players for free also won praise over Apple's response: a bunch of links to free antivirus software trials, including Microsoft's OneCare program, Poon wrote.

"Steve, if you need someone to advise on how to improve your quality checks, feel free to contact me," Poon said, referring to Apple CEO Steve Jobs.

Software companies have long known about the potential to introduce viruses and other malicious code during the manufacturing process, and have developed procedures to catch such infections.

Two such episodes in a week might indicate that malicious hackers have figured out that consumer device makers are less vigilant in their oversight, said Dennis Szerszen, vice president of marketing and corporate strategy at SecureWave, an end point security software vendor.

Apple may have had more lax oversight around the iPod because it wasn't software and wasn't, in itself, targeted by malicious code, he said.

"There may have been less rigor because they weren't cutting and shipping an OS," he said.

Given that, Apple is lucky that it was a virus that shipped on the iPods rather than pornography, pirated software, or some kind of religious or political propaganda that would have been even more damaging to Apple's name, Abrams said.

iPods and other consumer devices are increasingly finding their way onto enterprise networks, and are an increasingly common vector for attacks, he said.

""The end point is the final frontier in enterprise security, because it's where you and I bring our recreational attitudes and personal choices for how to work to bear," he said.

Companies should set up stringent policies about whether and how to use consumer electronics devices at work, but also set up systems to monitor their use and prevent malicious attacks or infections that might be carried by iPods, PDAs, and other consumer devices, Szerszen said.

Join the discussion
Be the first to comment on this article. Our Commenting Policies